Apple Touch ID: Do security advantages outweigh risks?

Tom Olzak examines the security pros and cons associated with Apple's fingerprint authentication technology on the new iPhone 5s.

Fingerprint scanning is a popular form of biometrics. It’s easy to implement and inexpensive compared to other forms of body feature scanning, and it is far better than voice recognition (Olzak, 2010). By itself, however, it is not a cure for weak passwords when protecting highly sensitive information. This is why Apple’s introduction of Touch ID with the iPhone 5s is both a good idea and just one layer of mobile device security.

Fingerprint biometrics

Biometrics-based access controls measure a physical feature or something produced by a human. For example, fingerprint characteristics are a measure of physical features; voice recognition or typing analysis are forms of biometrics created by human action.

The fingerprint or other characteristics are not themselves stored. Rather, an algorithm converts characteristics to a numeric value, which is stored in a secure location. This is done during registering a user with a biometrics solution. When the user presents his or her measured characteristic to a sensor for future access, the algorithm once again converts it to a value and compares the new value to the stored value. If they match, identity is verified and authentication is successful.

Finally, sensors don’t always work as expected. Damaged or dirty sensor surfaces can be big issues. In addition, changes to fingerprint characteristics due to injury or other causes can cause biometrics solutions to deny a user access. Another challenge is the longevity of a fingerprint. While users can change passwords or PINs regularly, undamaged fingerprints remain the same forever.

Apple’s fingerprint sensor on the new iPhone 5s comes with all these challenges.

Touch ID

The new iPhone, to be released on September 20, has a fingerprint sensor built into the home button. (See Apple’s Touch ID YouTube video… please excuse the marketing hype.) In addition to enabling easy security with quick access, rumors abound as to whether this is a first step toward NFC implementation: something still missing from the 5s. But along with advantages of ease of use come all the challenges of single-factor biometrics authentication, including forgery, false negatives, and employee mistrust of biometrics.

Apple does the right thing by storing the converted biometrics measurement in a secure location on the iPhone: the new A7 chip. It is never shared outside the phone. Although this is good news, it still doesn’t prevent fingerprint forgery. How well the iPhone handles forgeries is still unknown. However, I expect we’ll see how easy—or hard—forgery is as hackers aggressively go after this new opportunity.

Forgery defense is best mounted by using a second authentication factor (Olzak, 2010). For example, in addition to fingerprint verification, a password is used. Using two-factor authentication is not a viable solution for many organizations. However, when highly sensitive data is involved, it is the best protection. Two-factor authentication can decrease the probability of unwanted access to levels recommended by associated risk assessments (Olzak, 2012).

False negatives occur when the fingerprint verification process incorrectly rejects a registered print. Employee frustration runs high when access to a device is blocked due to technical failure. Blocked access to a phone will raise employee annoyance to new highs. Apple deals with this by requiring the creation of a PIN at the time of fingerprint registration that provides a workaround when biometrics fails.

Many users will resist using Touch ID. The myth persists that someone, especially the NSA or other government agency, will grab fingerprint data for nefarious purposes. If an iPhone vulnerability exists that allows theft of fingerprint values, it will be useful for bypassing the actual fingerprint. However, attacks of this nature usually require special technical resources. The advantages of Touch ID outweigh the risks. User education is an important part of implementation, including the fact that Apple encrypts the values before storing them in a secure location.

None of Apple’s Touch ID controls works well when an iPhone is physically in the hands of an attacker. Fingerprint biometrics combined with a password is no replacement for Internet-based device location and data destruction services, such as Apple’s Find My iPhone and McAfee’s Mobile Security. It also doesn’t replace controlling with automated policy enforcement (e.g., MobileIron and Good Technologies) what users can do and store with their iPhones. Apple’s Touch ID does not supplant layered mobile security controls.

While Touch ID is an innovative step toward securing mobile devices, it suffers from the same vulnerabilities as other fingerprint identification solutions: forgery, sensor challenges, and user resistance.

No single control is enough to protect sensitive data; this applies to all devices, including the iPhone. In addition to remote destruction of data on lost or stolen devices, controlling what users can access, what they can do with the data accessed, and implementing multi-factor authentication where appropriate still remain important controls supporting any fingerprint biometrics implementation.

By Tom Olzak

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Full Bio

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.